php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #58481 Group authority is not recognized
Submitted: 2009-01-02 20:19 UTC Modified: 2009-01-12 13:41 UTC
From: rod at zend dot com Assigned:
Status: Closed Package: ibm_db2 (PECL)
PHP Version: 5.2.5 OS: i5/OS or ibm i
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: rod at zend dot com
New email:
PHP Version: OS:

 

 [2009-01-02 20:19 UTC] rod at zend dot com
Description:
------------
A user profile is not allowed to access a table when a group profile is used to grant that user profile authority to access the table.  However, the user profile can access the table in a SQL Interactive Session.

Reproduce code:
---------------
<?php  
$i5 = db2_connect("", "", "");
if (!$i5) die(db2_conn_errormsg());
$result = db2_exec($i5,"select * from qgpl.qordhdr");
if (!$result) die(db2_stmt_errormsg());
else echo "Connected OK";
db2_close($i5);
?>

Expected result:
----------------
Given that table qgpl.qordhdr has *PUBLIC *EXCLUDE and NOGROUP *USE authorities, the above script should output "Connected OK."

Actual result:
--------------
Given that table qgpl.qordhdr has *PUBLIC *EXCLUDE and NOGROUP *USE authorities, the above script instead outputs "Not authorized to object QORDHDR in QGPL type *FILE. SQLCODE=-551"

If you modify user profile NOBODY to allow sign on, you can sign on to a 5250 session as NOBODY, execute the STRSQL command, and successfully run the statement "select * from qgpl.qordhdr" (provided SQL Naming is used).

If you specifically grant *USE authority to user NOBODY for the table, the script will run.  However, this should not be necessary, as user NOBODY is part of group NOGROUP, and simply authorizing NOGROUP allows a successful select statement in the SQL Interactive Session.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-01-05 01:58 UTC] abhargav at in dot ibm dot com
Hi,

Is your server and client both are running on i5/OS?

Regards,
Ambrish Bhargava
 [2009-01-05 12:47 UTC] rod at zend dot com
Yes, the script is running on the i5.  There is no separate client, unless you are referring to the web browser, which of course does run on a PC.  Please forgive my ignorance, but if you can explain what you mean by "client" in this context, perhaps I can better understand what you are driving at, and can give a better answer.

In the example script, we are literally not putting in any database name, user, or password for the db2_connect().  When run this way, the local database on the i5 is used, with the default Apache user profile, which is NOBODY.  As installed by Zend Core, user NOBODY is attached to the group profile NOGROUP.
 [2009-01-12 13:41 UTC] rod at zend dot com
Further testing shows that the group profile is not recognized in PHP generally.  The problem does not appear to be in ibm_db2.  The group authority issue will be dealt with elsewhere.  It is expected that correcting the underlying group authority issue will allow ibm_db2 to access the table correctly.
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Wed Aug 21 14:01:26 2019 UTC